Add stash uv.lock and enable exclude-newer cooldown across all pyprojects

Introduce stash/uv.lock so the stash environment resolves to the same
pinned set locally and in CI, and turn on uv's `exclude-newer = "7 days"`
in root, pelican, and stash pyproject.tomls. Register /stash/ under the
`uv` package-ecosystem in dependabot.yml so Dependabot picks up the new
lockfile with the same 7-day cooldown.

Pinning uv.lock and gating resolution on a release-age floor defends
both local development and CI from accidentally installing freshly
published malicious versions: a compromised package has to sit public
for the cooldown window before uv will resolve to it, giving time for
yanks and disclosures to land before it reaches a developer's machine.

Bumps `required-version` to >=0.9.17 because friendly-duration values
for `exclude-newer` were added in that release.

Generated-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: potiuk

.github/dependabot.yml

@@ -52,6 +52,7 @@ updates:
     directories:
       - "/"
       - "/pelican/"
+      - "/stash/"
     schedule:
       interval: "weekly"
     cooldown:

pelican/pyproject.toml

@@ -86,12 +86,13 @@ Issues = "https://github.com/apache/infrastructure-actions/issues"
 [tool.setuptools]
 py-modules = ["plugin_paths"]
 
-# uv settings. `required-version` enforces a minimum uv at runtime — PEP 735
-# dependency groups (used by [dependency-groups].dev and Hatch's env config
-# below) were added in uv 0.4.27, and the `required-version` setting itself
-# was added in uv 0.5.0, so 0.5.0 is the floor we can enforce.
+# uv settings. `required-version` enforces a minimum uv at runtime. The
+# floor is 0.9.17 because friendly-duration values for `exclude-newer`
+# (e.g. "7 days") were only added in that release; earlier uv versions
+# accept just RFC 3339 timestamps.
 [tool.uv]
-required-version = ">=0.5.0"
+required-version = ">=0.9.17"
+exclude-newer = "7 days"
 
 # Hatch environment definition. Hatch reads PEP 735 [dependency-groups]
 # directly, so the `dev` group above is the single source of truth for

pelican/uv.lock

@@ -34,4 +34,5 @@ dev = [
 ]
 
 [tool.uv]
-exclude-newer = "4 days"
+required-version = ">=0.9.17"
+exclude-newer = "7 days"

pyproject.toml

@@ -69,7 +69,8 @@ Issues = "https://github.com/apache/infrastructure-actions/issues"
 py-modules = []
 
 [tool.uv]
-required-version = ">=0.5.0"
+required-version = ">=0.9.17"
+exclude-newer = "7 days"
 
 [tool.hatch.envs.default]
 installer = "uv"